You must sign all API requests to ensure security. Alibaba Cloud uses the request signature to verify the identity of the API caller. Elastic Desktop Service (EDS) implements symmetric encryption with an AccessKey pair to verify the identity of the request sender.


You must add the signature to the EDS API request in the following format:

In the preceding format:
  • SignatureMethod: the encryption method of the signature string. Set the value to HMAC-SHA1.
  • SignatureVersion: the version of the signature encryption algorithm. Set the value to 1.0.
  • SignatureNonce: a unique random number used to prevent replay attacks. You must use different random numbers for different requests. We recommend that you use universally unique identifiers (UUIDs).
  • Signature: the signature generated after the request is symmetrically encrypted by using the AccessKey secret.
Calculate the hash-based message authentication code (HMAC) value of the string-to-sign as defined in RFC 2104. Use the Secure Hash Algorithm 1 (SHA-1) algorithm to calculate the HMAC value. The Java Base64 encoding method is used in this example.
Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(StringToSign)) )
Note When you calculate the signature, the key value specified by RFC 2104 is your AccessKeySecret with an ampersand (&) which has an ASCII value of 38. For more information, see Create an AccessKey pair.

Step 1: Compose and encode a string-to-sign

  1. Use request parameters to construct a canonicalized query string.
    1. Create a canonicalized query string by arranging the request parameters (including all common and operation-specific parameters except Signature) in alphabetical order.
      Note If you use the GET method to send a request, the request parameters are included as a part of the request URL. The first parameter follows a question mark (?) in the URL, and the other parameters are connected by ampersands (&).
    2. Encode the canonicalized query string in UTF-8. The following table describes the encoding rules.
      Character Encoding rule
      Uppercase letters, lowercase letters, digits, hyphens (-), underscores (_), periods (.), and tildes (~) These characters do not need to be encoded.
      Other characters These characters must be percent encoded in the %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
      Extended UTF-8 characters These characters are encoded in the %XY%ZA... format.
      Spaces Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
      This encoding method is different from the application/x-www-form-urlencoded MIME encoding algorithm, such as the class provided by the Java standard library. However, you can apply the encoding algorithm and then in the encoded string, replace the plus sign (+) with %20, the asterisk (*) with %2A, and the tilde (~) with %7E. You can use the following percentEncode method to implement the algorithm:
      private static final String ENCODING = "UTF-8";
      private static String percentEncode(String value) throws UnsupportedEncodingException 
      return value ! = null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null;
    3. Connect the encoded parameter names and the values by using equal signs (=).
    4. Sort the connected parameter name and value pairs in the order specified in Step i and connect the pairs by using ampersands (&) to obtain the canonicalized query string.
  2. Create a string-to-sign from the encoded canonicalized query string based on the following rules:
      HTTPMethod + "&" +
      percentEncode("/") + "&" +

    In the preceding rules,

    • HTTPMethod: the HTTP method used to send the request, such as GET.
    • percentEncode("/"): Encode the backslashes (/) in the URL as %2F.
    • percentEncode(CanonicalizedQueryString): Encode the canonicalized query string based on the URL encoding rule described in Step 1 and Step 2.

Step 2: Calculate the signature string

  1. Calculate the HMAC value of the string-to-sign as defined in RFC 2104.
    Note Use the SHA1 algorithm to calculate the HMAC value of the string-to-sign. The combination of your AccessKey secret and an ampersand (&) (ASCII code 38) that follows the secret is used as the key for the HMAC calculation.
  2. Encode the HMAC value in Base64 to obtain the signature string.
  3. Add the signature string to the request as the Signature parameter.
    Note When the obtained signature value is submitted as the final request parameter value, the value must be URL-encoded that is similar to other parameters based on rules defined in RFC 3986.

Signature examples

In the following example, the DescribeDesktops API operation is used. Assume that the AccessKey ID is testid and AccessKey secret is testsecret. The following example shows the request URL to be signed:

The following signature string is calculated by using testsecret&:


Add the signature string to the request as the Signature parameter. The following signed URL is obtained: